The following prerequisites apply:
- Servers must have the following installations:
- Hermod 2.3.1 on premises or as a service. See Install Hermod.
- Clients must have the following installations:
- Fully updated Windows 10
- Personal Desktop App version 1.0. See Install and upgrade Personal Desktop App.
- A valid API key must be generated from Hermod. See Add API user and callback URL in Hermod.
- HTTPS communication is required:
- Hermod must run on an HTTPS port
- PRIME must run on the HTTPS port used by Hermod for callbacks See Add API user and callback URL in Hermod
- The virtual smart card (VSC) function must be initialized. For more information, see Create virtual smart card.
PRIME and Hermod must trust each other's respective certificate.
- Make sure that Hermod and PRIME trust each other's certificates, in either of the following ways:
- The Java Virtual Machines (JVMs) that are used by PRIME and Hermod have valid SSL certificates.
- In case of self-signed certificates, that PRIME and Hermod have each other's certificates in their cacerts file.
The cacerts content is passed as JVM arguments to the respective Tomcat, for example via CATALINA_OPTS:
To configure the Hermod callback to PRIME:
- In the Hermod installation, open cod-hermod.yml and configure the callback to PRIME. For more information, see Install Hermod. Do the following settings:
datasource: enter the details for your database. The database must be empty and initialized using scripts from the Hermod distribution. Use the script with the highest version number.
X-Api-Key: enter a valid key.
For more information, see Add API user and callback URL in Hermod
In callbackUrl: enter the Hermod callback endpoint of PRIME Explorer, for example:
In publicUrl: enter the Hermod REST service endpoint, for example:
To configure the connection to Hermod, do the following settings in PRIME:
- Open the system properties file for PRIME Explorer: \prime_explorer\WEB-INFclasses\system.properties
- Do the following settings:
- In authenticationToken, enter the X-API-Key from the Hermod configuration.
- Optionally, set provisionCallback.deviceNameField to override the default field into which the device name is stored by the provisioning callback.
Personal Desktop App returns the configured computer name as deviceName instead of just a generic name. This is only for information, and not a unique identifier.
Popups must be allowed for the running PRIME server to be able to call the Personal Desktop App plugout URL. Most browsers block them by default and show a very subtle hint that a popup was blocked.
If the Personal Desktop App plugout URL is not called, check your browser's URL bar for any indication about blocked popups and add an exception.
To troubleshoot Personal Desktop App, consult the logfile. Here are some common errors and suggestions how to fix them:
Virtual smart card creation failed - Insufficient resources
Error: Virtual Smart Card creation failed! --> System.Exception: The target device has insufficient resources to complete the operation. (Exception from HRESULT: 0x80070142)
Solution: Remove some virtual smart cards and try again.
Virtual smart card creation failed - Operation requires elevation
Error: Virtual Smart Card creation failed! --> System.Exception: The requested operation requires elevation. (Exception from HRESULT: 0x800702E4)
Solution: Make sure you follow the prerequisites listed above. Login as administrator and try again.
Error: Domain mismatch error message
Solution: Make sure you use HTTPS for PRIME and Hermod
Personal Desktop App crashes
Error: Personal Desktop App crashes
Solution: Update Windows
This article is valid from PRIME 3.9.
- To see the predefined Smart ID use cases for virtual smart cards, see Virtual smart card management.
- To see the available delegate classes for virtual smart cards, see 3.9 - Personal Server - Standard service tasks.
- For more information on Hermod, see Hermod.